Sometimes more is more…

The ECB recently shared their industry consultation paper on a guide for effective risk data aggregation and risk reporting. What is clear from the paper is that in their view most banks have still not done enough to meet their expectations. Areas of concern include risk management weaknesses, lack of appropriate ownership and oversight, insufficient funding, inadequate data and reporting scope, and overall risk management ambition. Crucially mention is made to applying their regulatory toolkit in a more robust fashion, and specific reference to potential capital measures. Whilst there are no new requirements stated (per se), the guidance should provide clarity on some of the more ambiguous areas and establish what is needed in a clearer fashion. The theme of the paper suggest the ECB will not accept the traditional reasons provided for delays, such as cost cutting measures or competing priorities. In summary, they want banks to take BCBS239 more seriously.

What is the issue?

Many banks have not done enough to embed the BCBS239 Principles and RDARR, for which the root cause is somewhat placed in role of the banks management body and project management. This view appears to have been formed based on ongoing activities such as , onsite inspections, open SREP findings and consistent issues in the regulatory returns (e.g., COREP/FINREP and fire drills) which have caused them to lose some confidence in some banks ability to make good and timely economic decisions. ?

Why have the requirements not been met?

There are several reasons why embedding the principles is challenging. The principles themselves are non-specific, leading to confusion in what is needed to meet them. There is a substantial cost in addressing the challenges with RDARR and delivering a plan whilst accommodating other related priorities. Adoption of new capabilities for data management and changing the nature of individuals roles takes time and many issues of business and IT complexity. To name a few!

What needs to be done?

Banks need to urgently review their commitments to BCBS239, their programmes, roles and responsibilities and extent to which they have embedded the principles. The consultation paper outlines the problematic areas across governance, data, IT, and reporting. There is an expectation of a loftier ambition with respect to the future of banks risk management and reporting, data management, IT infrastructure and fewer issues expected in regulatory returns. Key elements within the paper suggest some following areas of focus.

• Ensure the scope of RDARR covers the binding data quality requirements for Pillar 1&2, model risk inputs and risk appetite metrics as a minimum
• Ensure the operating models for RDARR have been established from front line to management layer.
• Develop a compliance framework, or definition of how to meet compliance with the principles with an appropriate management owner.
• Address issues in regulatory reporting coming through COREP and FINREP or the fire drills and create a remediation plan.
• Embed data management specially regarding data ownership, lineage and the remediation of poor-quality data and implement the data governance framework.
• Address issues in controls standards in front line and establish further independent validation should it be required.

How can we help?

We have been helping our global client base embed RDARR and the BCBS239 Principles for 10 years and have accelerators, assets, and dedicated resources available to help on your compliance journey. Should you require any help with any of the topics within this blog, or if you would like to discuss the impact of this updated guidance, please contact me or Richard Cryer.